Cisco Patches Critical VPN Vulnerability

Cisco Systems released a patch Monday to fix a critical security vulnerability in its Secure Sockets Layer VPN solution called Adaptive Security Appliance. The vulnerability, according to a Cisco Security Advisory, could allow an unauthenticated and remote attacker to execute remote code on affected devices.

The vulnerability impacts nearly a dozen Cisco products ranging from 3000 Series Industrial Security Appliance, ASA 5500-X Series Next-Generation Firewalls and ASA 1000V Cloud Firewall. The bug (CVE-2018-0101) received a CVSS score of 10, the highest you can get. There are no workarounds available for the bug, Cisco said.

“The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device,” according to the advisory. “An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.”

Security experts are recommending impacted companies patch at their earliest opportunity because of the critical nature of the bug.

“Traditional VPNs like Cisco’s expose an open port to the Internet, so any remote user on the planet can connect to it,” said Jason Garbis, co-chair of the Cloud Security Alliance’s Software-Defined Perimeter Working Group. The vulnerability, he said, will give an attacker access to a corporate network.

“There are hundreds of thousands of these Cisco devices deployed worldwide. There are no workarounds – organizations must manually identify and patch all their Cisco ASA VPN servers in order to address this,” Garbis said.

While the vulnerability impacts many ASA devices, only those with the “webvpn” feature enabled are vulnerable, Cisco said. System admin can check to see if their device if vulnerable by checking to make sure the Cisco ASA software release is “9.2.4.25” or higher.

In its advisory, Cisco said it is aware of public knowledge of the vulnerability, but not aware of any instances the vulnerability has been exploited in the wild.

Cisco credited researcher Cedric Halbronn, with the NCC Group, for discovering the vulnerability. Halbronn is scheduled to give a talk regarding his discovery at the REcon computer security conference in Brussels, Belgium on Friday.

Comments (6)

According to the advisory, they state that several versions of 9 are vulnerable and that you should upgrade to the “fixed” version listed in their chart. For v9.2 they state that the first fixed release is 9.2.4.25 unless I’m interpreting it wrong.

Cisco versions don’t work exactly like that. There are a number of different version families, most of which have a version that is fixed. Copying their table is best, but to put it in word form:

If on 9.1.x (or lower), upgrade to 9.1.7.20 or higher
If on 9.2.x, upgrade to 9.2.4.25 or higher
If on 9.3.x or 9.4.x, upgrade to 9.4.4.14 or higher
If on 9.5.x or 9.6.x, upgrade to 9.6.3.20
If on 9.7.x, upgrade to 9.7.1.16 or higher
If on 9.8.x, upgrade to 9.8.2.14 or higher
If on 9.9.x, upgrade to 9.9.1.2 or higher

When saying “or higher”, you can resolve by upgrading 9.5.x to 9.8.x, as long as it’s equal to or above 9.8.2.14, for example.

Affected devices require a Software Upgrade to patch this vulnerability. Affected versions and the First Fixed Releases are displayed in the following table:
Cisco ASA Major Release First Fixed Release
8.x1 Affected; migrate to 9.1.7.23 or later
9.01 Affected; migrate to 9.1.7.23 or later
9.1 9.1.7.23
9.2 9.2.4.27
9.31 Affected; migrate to 9.4.4.16 or later
9.4 9.4.4.16
9.51 Affected; migrate to 9.6.4.3 or later
9.6 9.6.4.3
9.7 9.7.1.21
9.8 9.8.2.20
9.9 9.9.1.2
1ASA Software releases prior to 9.1 and ASA releases 9.3 and 9.5 have reached End of Software Maintenance. Customers should migrate to a supported release.